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About this Guide 
About Qualys 


About this Guide 


Welcome to Qualys SaaS Detection and Response (SaaSDR)! We'll help you get acquainted 
with the Qualys solution to help enterprises with the security and compliance of their 
SaaS applications using the Qualys Cloud Security Platform. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance, and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations, including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also 
founding member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access online support information at www.qualys.com/support/. 


SaaS Detection and Response Overview 
How to get started 


SaaS Detection and Response Overview 


Qualys SaaS Detection and Response (SaaSDR) expands the capabilities of the Qualys 
Cloud Platform to help enterprises with the security and compliance of their SaaS 
applications. It will provide a single console for IT admins to connect to their critical SaaS 
applications, manage them centrally, secure data on these critical cloud apps, maintain 
compliance and manage costs. It is a tool for IT admins to manage SaaS sprawl effectively. 


Benefits of SaaSDR 
- Provide a single console for IT admins to centrally secure their data no matter where it is 


- Gets a consolidated view of external users who have access to internal documents and 
internal users that are sharing documents externally 


- Get visibility into documents that are exposed and take steps to make them private 


- Get visibility into apps that have given access to sensitive data and take steps to alert 
and block them 


- Understand the compliance posture of your critical SaaS applications to ensure that you 
pass industry-standard benchmarks. Currently, we support the CIS Microsoft 365 
Foundations Benchmark v1.3 


How to get started 


With SaaSDR, you'll view all your resources, like files and folders, third-party applications, 
and meetings identified from the scanned SaaS applications, view the policy controls to 
monitor your compliance posture, and perform different actions on the existing reports. 


SaaS Detection and Response Overview 
How to get started 


Home 


Hello Himn 


Welcome to Saas Detection and Response 


Manage and secure the SaaS apps and data that help drive your business. 


( Learn More) 


c» Build Inventory @ c9 Monitor Compliance [a =A Report and Respond e 


Connect your SaaS platforms to Qualys. Discover all users, files Assess your Saas platforms for secure configurations against Use in-built or customized policies for assessing compliance. 


and applications on them. View these data from multiple SaaS CIS. Discover security loopholes through compliance Create compliance reports according to various mandates. Fix the 
platforms on a single console. assessments. SaaS misconfigurations automatically. 


Get In-Depth Visibility Of Users, Files And Apps 


bd B a 


CTT 131 zn asi 29 
Download Powershell Module i CON E ORE. TEN CEN 


Configure a Connector 


Just set up a connector with your SaaS applications, and that's it! We'll start discovering 
important information about your SaaS applications that will help you view and monitor 
the data on these applications. 


Build Inventory 


View all the Users and User Groups in your organization. Also, view all your resources, like 
files and folders, third-party applications, and meetings identified from the scanned SaaS 
applications. 


Monitor Compliance 


Enable and run the CIS Microsoft 365 Foundations Benchmark v1.3 policy for your 
connectors. View the policy controls to monitor your compliance posture. 


Fix Security Misconfigurations 


Remediate the controls if any of the controls have a failed status for security posture for 
Office 365 subscriptions. 


Report and Respond 
Perform different actions on the existing reports. 


Search your Inventory 


Use our guided search capabilities and craft advanced queries combining multiple criteria 
to search all your resources and directories. 


Create Connector 


Create Connector 


Start by creating a connector to your SaaS application. 
Supported connectors for this release: 
- Microsoft Office 365 


Note: Qualys SaaSDR supports Azure AD, Sharepoint, Onedrive, ExchangeOnline, Teams 
services for Microsoft Office 365. 


- Salesforce (SFDC) 
- Zoom 

- Google Workspace 
- Slack 

- Dropbox 


Pre-requisites 
- You must install Powershell Module for compliance assessment of Microsoft Office 365. 


For more information on installing Powershell Module, click here. 


Let's get started! 


Choose SaaS Detection and Response (SaaSDR) from the app picker. You’ll need the SaaS 
application credentials to create the connector. 


The steps to create a connector depend on the SaaS application for which you want to 
create the connector. Refer to the Create Connectors section of the Online Help for 
information on configuring your connector. 


The newly created connector appears in the Configurations > Connectors list. Here you 
can check the status and other details of the connector. 


You're ready! 


Once the application is connected, a scan is initiated to pull metadata from the 
application. This step may take some time to complete based on the number of resources 
to be cataloged in your application. 


Create Connector 
Connector Actions 


Connector Actions 
Once a connector is added, the following actions can be performed: 
Edit - You can edit properties for any connector. 


Enable/Disable - You can enable or disable any connector for automatic Incremental 
Scan. 


Sync - If any connector fails to sync because of some back-end errors, you can manually 
Sync the connector. 
Delete - You can delete any existing connector. 


Re-Authenticate - Whenever you move to a new version of SaaSDR, you must re- 
authenticate if the existing connector does not appear on the application UI. 


Connector Status 


You can view the status of the connector once you create a connector. Types of statuses 
are: 


- Pending 

- Success 

- Partial Success 
- Error 

- Unauthorized 


To know the status of the connector scan, go to Configuration > Connectors. 


Inventory Details 
View Directory 


Inventory Details 


View all the Users and User Groups in your organization. Also, view all your resources, 
such as files and folders, third-party applications, and meetings identified from the 
scanned SaaS applications. 


View Directory 


Once your SaaS application is connected, a scan is initiated to pull metadata from the 
application. This step may take some time to complete based on the number of users and 
resources to be cataloged in your application. 


As your scan progresses, the Directory tab populates with all the users and user groups in 
the company that have access to the SaaS applications. 


Navigate to Directory > Users or Groups tab and view the list of all users and user details, 
what kind of access the user has: internal or external, the role of the user, and so on. 


SaaS Detection and Response V HOME DASHBOARD DIRECTORY RESOURCES POLICY MONTOR RESPONSE REPORTS CONFIGURATION Ra 


Directory Users Meg 
196 hmi | | GroupBy v 1-50 of 156 e ( 
Total Users 
ME EAL CONETOR ABS 
| @qnai.com 3 Dropbox EXTERNAL 
E AWSPublicSite Site Guest User e EXTERNAL 
Salesforce 5 
Office 365 56 | AWSPublieSite Site Guest User es EXTERNAL 
Google Workspace 1 
Dropbox s | AWSPublicSite Site Guest User gp icis EXTERNAL 
Zoom 4 
qs EXER 
(ONE («s SER 
0365 0Ap01 28 


As part of the SaaS connector scan, SaaSDR classifies users as: 


- Internal: These are mainly the employees of an organization that have an account on the 
SaaS application. 


- External: These are mainly the users outside an organization with whom data is shared. 


Internal or External users are classified differently depending on the SaaS application you 
are connecting. Except for SFDC, the classification is the same for all other products. 


View Resources 


View Resources 


A list of resources such as files, folders, third-party applications, and meeting details are 
displayed in the Resources tab. You can view details such as what kind of resource access, 
whom are the resources shared with, the owner, etc. 


SaaS Detection and Response ~ HOME DASHBOARD DIRECTORY RESOURCES POLICY MONITOR RESPONSE REPORTS CONFIGURATION g| 


Resources Files & Folders ENTIS 


122K 


Total Files & Folders 


1-80 of 121728 


MME OWNER CONNECTOR ACCESS ‘SHARED WITH LAST MODIFIED ON 
check incr 12/1 & siie INTERNAL * Jan 12,2022 

: Su 1107 AM 
ACCESS : 


External 514K check incr 12/1 & sii INTERNAL = Jan 12, 2022 
Internal 424K tet 1107 AM 


Anyonewithlink — 163K 
Domain 118K 


ext regression 1.5.0.docx g 0365 EXTERNAL 1 Jan 11,2022 
document 03:26 PM 


ext regression 1.5.0.docx rcs EXTERNAL 4 Jan 11,2022 
document 0326 PM 


Document5.docx nos INTERNAL $ Dec 23, 2021 
documen: 06:12PM 


Document5.docx g ofic 365 INTERNAL E Dec 23,2021 
CONNECTOR document 06:12PM 


The Files & Folders tab lists the documents and folders in your company. 


The Applications tab lists all the third-party applications installed by users in your 
company. You can view details like who has installed these applications using the 
company account and what permissions are granted. toggle between the Apps views to 
view this data grouped by the app name and the Users view to view the count of apps 
installed by each user. 


The Meetings tab lists all the meetings and webinars conducted via applications such as 
Zoom. Note that the tab lists only those meetings with at least one recording. SaaSDR 
does not capture the meetings that do not have recordings. 


Note: Qualys SaaSDR does not list ongoing meetings or meetings scheduled for the future. 


For SaaSDR to list a meeting, the meeting should be concluded and have at least one cloud 
recording. 
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Policy 
Enable a Policy 


Policy 


Qualys provides best practices policies based on vendor's suggested best practices, 
industry practices, and some research. Currently, policies in the library are used for 
assessment purposes as they are. As we increase the content (number of controls) for each 
SaaS, we also offer to combine some of the CIS controls or best practices policies or vendor 
policies. 


You can filter the policies provided out of the box under the 'System-defined' category. The 
user-defined policies (aka custom policies) are filtered under the 'User-defined' category. If 
the System-defined policies appear to be locked indicates that these policies cannot be 
changed. 


Enable a Policy 


You can run policies and benchmarks defined for your SaaS application. The controls are 
validated, and the pass or fail status is displayed. Currently: 


For Google Workspace, we support Best Practices. 

For Zoom, we support CIS Benchmark and Zoom Best Practices. 

For Salesforce, we support Best Practices. 

For MS O365, we support CIS Benchmark and Microsoft Office 365 Best Practices. 


Navigate to the Policy tab to view all the policies provided by Qualys. You can also enable 
or disable the policy for a connector. 


SaaS Detection and Response v HOME DASHBOARD DIRECTORY RESOURCES POLICY MONITOR RESPONSE REPORTS CONFIGURATION &Q 


Policy Policy Mei 


10 


Total Policies 1-10of 10 


NAME SMS CREATED BY MODIFEDBY 


0 Zoom 

SMS Jan 18,2022 Jan 19,2022 
Tab z Salesforce Best Practices & Sakstorce SYSTEM SYSTEM. 
CHEERS : Associated Controls: 48 Jan8,2021 Dec 30, 2021 
Office 305 3 
Zoom 3 Microsoft Office 365 Best Practices Ü Office 365 SYSTEM SYSTEM 

Associated Controls: 73 Jul 22,2021 Dec 30, 2021 
POUCH Google Workspace Best practices G Google Workspace SYSTEM SYSTEN 
System Defined $ Associ ds: 14 Jung,2021 Jul22, 2021 
User Defined 4 

salesforce test G& Salesforce " P 

Associated Controls: 3 Jan 20, 2022 Jan 20, 2022 
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Policy 
Manage Policies 


Click on the policy to open it in the View Mode and navigate to the Connectors tab. Select 
a connector and from the Actions menu, enable or disable the policy for this connector. 


< Policy Details: CIS Microsoft 365 Foundations Benchmark 


VIEW MODE 
Connectors 


Policy Information 2 


Actions (1) v 1-10f 1 


Controls 


z LJ Difice 365 Test connector Thu, 15 Oct 2020 23:28:50GMT E 5 
PIN e a ur S Pn Sen P end tO NN A Dl SPI P P ee E I ms Ie Pe Pd 


The Controls tab lists all controls and their details, such as Saas, criticality, etc. Click on 
any control to view details specific to that control. 


e Qualys. Express 
€— Control Details: Ensure multifactor authentication is enabled for all users in administrative roles 
VIEW MODE 
Summary 
Specification Ensure multifactor authentication is enabled for all users in administrative roles 
Policies Criticality: JJ High 
Evaluation 
Rationale . . 
Identification 
Remediation 
CID Control Description 
References 70089 Ensure multifactor authentication is enabled for all users in 
administrative roles 
Control Type SaaS 
System Defined n Office 365 
Created By 
SYSTEM, Oct 28, 2020 04:07 PM 


Once you enable a policy for a connector, you can view your compliance posture in the 
Monitor tab. 


Note: For the following controls to be evaluated in SaaSDR accurately, enable the "Apps 
that don't use modern authentication" setting in Microsoft 365 Admin Center » SharePoint 
» Policies » Access Control: 70123, 70124, 70125, 70105, 70100, 70095. 


Note: You must have a Microsoft 365 E5 license to evaluate the following four controls: 
70098, 70099, 70112, and 70113. 


Manage Policies 
You can perform the following activities on the policies: 
- Viewing policy details 


- Re-evaluating a policy 
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Policy 
Control Library 


Viewing a policy 
To view a policy, select an existing policy, go to Actions > View. 


The View Mode displays policy details such as Basic Details, SaaS application, Created By, 
Modified By, associated Controls, and so on. 

Re-evaluating a policy 

You can re-evaluate all controls associated with a policy. 

To re-evaluate controls of a policy, select an existing policy, go to Actions > Re-evaluate. 


If the Re-evaluate button is disabled, refer to Connector Warnings. 


Connector Warnings 
On the Policy List page, there are warnings for different scenarios. 


Take necessary actions based on the type of warning prompted. 


Control Library 


TD 


The controls library is displayed under the Policy > Controls tab. 


This page lists the out-of-the-box controls for different SaaS apps. 


SaaS Detection and Response ~ HOME DASHBOARD DIRECTORY RESOURCES POLICY MONITOR RESPONSE REPORTS CONFIGURATION ac 


Policy [UE controis 


197 


Total Controls 


1-50 of 197 Bus 


cin NAME Sus CREATED BY CRITICAUTY 
70000 Ensure owners are not allowed to delete all the messages that users sent in chat g office365 SYSTEM Bs 
Jul 22, 2021 
aa 70001 Ensure users are not allowed to delete their own messages sent in chat g Office 365, SYSTEM B 
1a ui 22,2021 
no "€ 3 2 
bs 70016 Ensure users do not use Citrix ShareFile as a third party storage g Office 365 SYSTEM BU 
ui 22,2021 
CONTROL TYPE 70017 Ensure users do not use DropBox ShareFile as a third party storage (J ottceses SYSTEM Ho 
System Defined 197 Jul 22,2021 
c 70018 Ensure users do not use Box SharcFile as a third party storage g office 365 SYSTEM Bs 
CRITICALITY DAN 
Low 54 
High 72 70019 Ensure users do not use Google Drive ShareFile as a third party storage f] ossis SYSTEM B 
Medium n Red 
70043 Ensure anonymous users are not allowed to join a meeting g Office 365 SYSTEM BU 
POLICY Jui 22, 2021 
48 
B 70050 Ensure users are not allowed to forward calis or simultaneous ringing of inbound calls to external phone numbers n] Office 365 SYSTEM B 
s Jul 22,2021 
6 70081 Ensure voicemail is disabled for routing inbound calls g Office 265 SYSTEM Bs 
a 24 Jul 22,2021 


Custom Policies 


On top of CIS, Qualys provides best practices policies based on vendors’ suggested best 
practices, industry practices, and research. Currently, policies in the library are used for 
assessment purposes as they are. As we increase the content (number of controls) for each 
SaaS, we also offer to combine some of the CIS controls, or best practices policies, or 
vendor policies. 
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Policy 
Custom Policies 


Some policies provided out of the box are filtered under the 'System-defined' category. You 
can filter the user-defined policies (aka custom policies) under the ‘User-defined’ category. 


System-defined policies are shown as locked, indicating that you cannot change these 
policies. You can either create a new policy or edit an existing policy. 


Note: This feature is only available for users with a trial or full subscription of the 
application and not for users with a free subscription. 


You can create a new policy by Policy tab > Create New. 


The newly created policies appear under the Policy Tab. 


HOME DASHBOARD DIRECTORY RESOURCES POLICY MONITOR RESPONSE REPORTS CONFIGURATION 


SaaS Detection and Response 


Policy Policy MESI 


10 


Total Policies 


NAME 


tes 


sociated Controls: 6 


Salesforce Best Practices 
A ls 


e 365 Best Practices 


ET 


Q^ 


& Salesforce 


f] officeses 


1-10 of 10 


CREATED BY WODIRED BY 
qerGqw.com. awer@qwcom 
Jan 19, 2022 Jan 19, 2022 
SYSTEM 
Jan 8, 2021 


rols: 73 


POLICY TYPE 


System Defined 6 


ace Best practices G Google Workspace. SYSTEM 
rols: 14 Jun9,2021 
User Defined 4 


Manage Custom Policies 

You can perform the following activities on user-defined policies: 
- Editing existing user-defined policies 

- Deleting a user-defined policy 

- Viewing policy details 

- Re-evaluating a policy 


Note: Editing and deleting options are only allowed for user-defined (custom) policies. 
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Monitor SaaS Applications 
Custom Policies 


Monitor SaaS Applications 


You can run policies and benchmarks defined for your SaaS application. The controls are 
validated, and the pass or fail status is displayed. 


Navigate to the Policy tab to view all the policies provided by Qualys. From here, you can 
also enable or disable the policy. 


SaaS Detection and Response v HOME DASHBOARD DIRECTORY RESOURCES POLICY MONITOR RESPONSE REPORTS CONFIGURATION AG 


10 


1-Wof 10 (0 D] 4C 


Total Policies 
NAME SUAS CREATED BY MODIRED BY 
tes o Zoom 
SAAS Associated Controls: 6 Jen 13,2022 Jen 19,2022 
Sales 2 
j em Salesforce Best Practices & Salesforce SYSTEM SYSTEM 
some Noe : Associated Controls: 48 Jan8,2021 Dec 20,2021 
Office 365 3 
Zoom 3 Microsoft Office 365 Best Practices [] oss SYSTEM SYSTEM 
Associated Controls: 73 Jul 22, 2021 Dec 30, 2021 
POLICY TYPE z 
Google Workspace Best practices G Google Workspace SYSTEM SYSTEM 
System Defined 6 Associated Controls: 14 Jun9,2021 Jul22,2021 
User Defined 4 
salesforce test & Salesforce — m 
Associated Controls: 3 Jan 20,2022 Jan 20, 2022 


SaaS Detection and Response ~ HOME DASHBOARD DIRECTORY RESOURCES POLICY MONITOR RESPONSE REPORTS CONFIGURATION AQ 
Monitor 
à for Controls G)  Lasi30Dgs v| = 
Total Controls Evaluated H Leu 
Dr] CONTROL NAVE ORITCALTY CONNECTOR 
a 7047 Ensure that no expired certificates are being used in the Certificate and Key Management Bs gu 
RESULT. Salesforce Best Practices 
Fail 155 
Eon n 70142 Ensure that clickjack protection is enabled for non-setup Salesforce pages ges & sic 
fur 98 Salesforce Best Practices 
7021 — Ensure that users are warned before being redirected outside of Salesforce LE LT 
CRITICALITY à 
salesforce Best Practices 
High 160 
Medium E 70143 Ensure that elickjack protection is enabled for customer visualforce pages with standard headers gs &B site 1 
Low "2 Salesforce Best Practices Tales 
CONNECTOR 70222 — Ensure that identity verification for email address changes is enabled gs [T 1 
Genel n. Salesforce Best Practices Tanina: 
offe 365 110 
= = Toas Ensure that Clickjack protection for customer visualforce pages with headers disabled setting is enabled Bos [T 
Salesforce Best Practices 
sfdc 48 
sfdc test 48 " " " & 
70223 Ensure that email confirmation for email address changes is enabled ges qui 1 
emoe y Salesforce Best Practices eT 
SAAS 70187 Ensure that the setting Require HttpOnly attribute! is enabled B BD sic 
Office 365 220 ‘Salesforce Best Practices =e 
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Monitor SaaS Applications 
Monitor Compliance Posture 


Monitor Compliance Posture 


In the Monitor tab, you can monitor your compliance posture in real-time for each 
connector. View details such as connector type and the security posture at a glance. 


SaaS Detection and Response V HOME DASHBOARD DIRECTORY RESOURCES POLICY MONITOR RESPONSE REPORTS CONFIGURATION Rom 


Monitor Controls BEIN 


Qq t jon ®© Last30 Days v = 
] e - c LOG 
Total Controls Evaluated H 1-500f 403 EG) LO Q 
cio CONTROL NAME CRITICALITY CONNECTOR ‘SECURITY POSTURE 
x 707 Ensure that no expired certificates are being used in the Certificate and Key Management Bes [- stic 1 E 
RESULT m Salesforce Best Practices AMET 
Feil 155 | 
n = 70142 Ensure that clickjack protection is enabled for non-setup Salesforce pages [LE [1 
m. A Salesforce Best Practices km 
Ton Ensure that users are warned before being redirected outside of Salesforce Bes [1 
CRITICALITY 4 
Salesforce Best Practices 
High 160 
Medium 131 7043 Ensure that clickjack protection is enabled for customer visualforce pages with standard headers Wes & stic 
Low "2 Salesforce Best Practices 
CONNECTOR 70272 Ensure that identity verification for email address changes is enabled Bes & stic 1 
— Eo Salesforce Best Practices E 
off 365 110 m 5 7 E " EET 
d pa 70144 Ensure that Clickjack protection for customer visualforce pages with headers disabled setting is enabled [LE & sti 1 
Salesforce Best Practices uaa 
FA z Taraire 
sfdc test 48 F " ^ A 
70223 Ensure that email confirmation for email address changes is enabled Bes [1 
eim Salesforce Best Practices 
SAAS 70157 Ensure that the setting Require HttpOnly attribute’ is enabled Bs & stic 
Office 365 220 Salesforce Best Practices 


From the Security Posture column, you can drill down to view details of each control and 
their pass or fail status. Click on each control to view further control details, such as 
remediation, evidence, etc. 
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Monitor SaaS Applications 
Events 


Events 


You can view and filter the events related to Salesforce, Dropbox, and Office 365 according 
to the service types. You can view the events of varying criticality related to the user, 
application, and files. This view helps IT admins and Security Operations teams monitor 
any unusual activities. 


To view any user activity, go to Monitor > Events. 


You can filter the activities by clicking on any Category, Sub Category, or, Severity options 
available in the left navigation pane. The filter depends on the variations of the events 
appearing in the list. 


(a= ae HOME DASHBOARD DIRECTORY RESOURCES POLICY MONITOR RESPONSE REPORTS CONFIGURATION Ad 


Monitor 
Q (3, Lasi30Da.s v 3 
2. 04K 1-50 of 2039 woo’ 
Total Events B = 
NAME CONNECTOR TME ACTOR SEVERITY 
Add app role assignment grant to user n offe 265 Jan 28,2022 
CATEGORY ere 
; Consent to application J ots Jan 28,2022 (tow) 
03:33 PM 
Add app role assignment grant to user n ofíc 365 »: 
PM 
Consent to application f] offeses Jan 28,2022 km 
03.08 PM 
UserLoggedin n offe 365 Jan 28,2022 
0203 
UserLoggedin p otte 26s Jan 28,2022 
0201 PM 
UserLoggedin n offe 205 Jan 28, 2022 
0201 PM 
Medium Vx UserLoggedin J sss Jen 28,2022 
Low 285 O58 PM 
High 32 
UserLoggedin n ofíc 365 Jan 28,2022 
DISRPM 


To view the details of the User Activity Event, click the Event. 


The detail page will show a pop-up in JSON view. 


SaaSDR monitors Dropbox logs and Office365 logs for events (as recommended by CISA) 
such as: 


- Failed login 

- Update Application Permission 
- Update Group 

- Set domain authentication. 

- Add admin role to a member 

- Remove admin role 

And a lot more! 


To know more about Office 365 logs for events, click here. 
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Security Misconfigurations 
Remediation for Office 365 


Security Misconfigurations 


Qualys SaaSDR enables you to remediate the controls that have a failed status for security 
posture for Office 365 subscriptions. 


For now, you can fix security misconfigurations for Office 365 without having to separately 
log in to the Admin Center of Office 365. 


Remediation for Office 365 


For Office 365 subscriptions, you can remediate the controls that have a failed status for 
security posture. 


To remediate a control, go to the Monitor > Controls tab, select the control you want to 
remediate, and click Remediate. 


Note: You can only fix tenant-level misconfigurations without logging into the Office 365 
admin center. To filter the tenant-level misconfiguration, use the control.remediation: 
"Yes" search token to filter the remediable controls. 


Only the controls with the | X icon are remediable: 
Select the required controls you want to remediate from the list of available controls. 


| SaaS Detection and Response v HOME DASHBOARD DIRECTORY RESOURCES POLICY MONITOR RESPONSE REPORTS CONFIGURATION 2OQM 


Monitor 


g 
3 
a 
E 
f 
iad 
E 


(3)| Last30Days v| — 


33 


s ET 1-38 of 33 


CRITICALITY. |, CONNECTOR 


à in users from creating security groups High 0365 
Hion " id diii Wo g 


Medium 10 
applications’ is set to 'No* B uo n 0365 
CONNECTOR 


abled on Exchange Online B EE n 0365 
K v1.40 


Creating a Remediation Job 


Once you click Remediate, you can create a remediation job. 
1. On the Basic Information window, enter the Name and Description and click Next. 
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Security Misconfigurations 
Remediation for Office 365 


The SaaS and the Connector fields are auto-populated. 


€— Create New: Remediation Job 


STEPS 1/3 


@ Basic information 
2 Select Controls 


a Review and Confirm 


Basic Information 
Add details of the remediation job here. 


Name * 


Remediate Controls 


Description 


a 


250/250 characters remaining 


SaaS * 
Office 365 


Connecter * 


0365 2103 


2. On the Select Controls window, click Next if all the details appear correctly. 


Or, 


Optional: You can choose to remove controls or add new controls. 
Remove controls: Select one or more controls available in the list and click Remove 
Selected or use the Remove control icon to remove control. 


€— Create New: Remediation Job 


STEPS 2/3 


Basic Information 
Select Controls 


3 Review and Confirm 


Select Controls 
Choose the failing controls to add to the remediation job. 
Controls (2) 
EB co NAME REMEDIATION ACTION CRITICALITY 4- 
70059 Ensure prevent non-admin users from creating security groups Set-MsolComparySettings-Us.. Mj High 
70093 Ensure modern authentication is enabled on Exchange Online Set-OrganizationConfig-OAuth.. Bj High bd 
Cancel Previous. ] Next 
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Security Misconfigurations 
Remediation for Office 365 


Add controls: You can also add controls when creating the remediation job using the Add 


Controls icon as highlighted below: 


€— Create New: Remediation Job 


STEPS 2/3 


Basic Information 
Select Controls 


Select Controls 
Choose the failing controls to add to the remediation job. 


3 Review and Confirm Controls (2) 
Remove Selected 
O œ NAME 
70059 Ensure prevent non-admin users from creating security groups 
70093 


Ensure modern authentication is enabled on Exchange Online 


REMEDIATION ACTION 


CRMICALTY | 
Set-MsolCompanySettings-Us-. Bj High x 
SetOrganizationConfig-OAuth. B High x 


3. Review the controls and click Next. 


4. On the Review and Confirm window, confirm the details and click Create. 


© Create New: Remediation Job 


STEPS 3/3 


Basic Information 
Select Controls 
Review and Confirm 


Review and Confirm 


You're all done! Review your selection and click Submit. This remendiation job will be created and added to your remediation jobs list. 


Basic Information 

Name Description 
test - 

SaaS Connect 
Office 365 


0365 2103 


Selected Controls 
co NAME 


70059 Ensure prevent non-admin users from creating security groups 


70093 Ensure modern authentication is enabled on Exchange Online 


[ 5 |[ roo | NEN 


REMEDIATION ACTION CRITICALITY | 
SetMsolCompanySettings -Us.. J High 


‘Set OrganizationConfig-OAuth... J High 


Once you initiate the remediation, the compliance scan automatically reflects the latest 
compliance posture. The status of the controls changes based on the scan results once the 


remediation is successful. 


20 


Security Misconfigurations 
Remediation for Office 365 


You can view the status of remediated jobs under the Response > Remediation Jobs tab. 


‘SaaS Detection and Response v HOME DASHBOARD DIRECTORY RESOURCES POLICY MONTOR RESPONSE REPORTS CONFIGURATION aom 
Response Remediation Jobs 
Q sea o 
Total Remediation Jobs ern reste OE Oe 
MME STATUS CONNECTOR CREATED BY NUMBER OF CONTROLS COMPLETED 
Remediate 70015 Completed n oss 1of1 
STATUS Jan 28, 2022 [el 
Cea ý Remediate 70059 Completed g oss 1of1 
ONNER Jan 28, 2022 =a 
" Remediate 70058 Completed n oss 1of1 
Jan 28, 2022 Sa 
- Completed p otfe ses 1of1 
Jan 28, 2022 E 
Remediate 70184 Completed g oss 1of1 
Exchange Jan 28, 2022 aaa 
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Response 


Response 
Remediation for Office 365 


In the Response tab, you can check the status of different response activities. 


Go to the Remediation Jobs sub-tab to check the remediation jobs used to fix the 
misconfigurations on your SaaS tenants. You can view the progress and status of the 
remediation job(s) and export the details from the Response tab > Remediation Jobs sub- 


tab. 


By default, the remediation job is in the Disabled state. You must enable it to get started. 


| SaaS Detection and Response ~ 


Response Remediation Jobs 


‘STATUS 
Cancelled 5 
Completed 60 
Disabled 2 
Pending Evaluati... 1 


HOME DASHBOARD DIRECTORY RESOURCES POLICY MONITOR RESPONSE REPORTS CONFIGURATION ROM 


1-500f 68 QO HOG 


CREATED BY NUMBER OF CONTROLS COMPLETED 
0of1 
Mar 14,2022 


of 11 
Mar 14, 2022 


12023 
Mar 14 2002 [i 
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Response 
Remediation for Office 365 


Reports 


Reports 


SaaSDR allows you to view all the application reports. The Reports tab lists all the existing 
reports. 


] 
SaaS Detection and Response HOME DASHBOARD DIRECTORY RESOURCES POLICY MONITOR RESPONSE REPORTS CONFIGURATION Ad 


Reports Reports 


a Op 
ELE 
REPORT NAME STATUS Sus FORMAT CREATED ON CREATED BY EXPIRES ON 
Completed G Google Workspace. PDF Jan 28, 2022 Feb 4, 2022 
0400 PM 0400 PM 
Completed [] oe sss PDF Jan 24, 2022 Jan 31,2022 
04:46 PM 04:46 PM 
Completed f] office 265 POF Jan 24, 2022 Jan 31,2022 
1039 AM 1039 AM 
Completed [] ofc ses csv Jan 24, 2022 Jan 31,2022 
1038 AM 1038 AM 


You can perform different actions on an existing report: 


Create Report - The newly created report appears on the landing page of On-Demand 
Reports. 


To perform other actions on existing reports, go to Actions (1) drop-down menu: 
- Run report 

- Edit report template 

- Delete 

User can also download the report using the download icon. 


The report can be downloaded in two options: CSV and PDF format. 
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Reports 


Trusted Domains and Applications 
Add Domains and Applications as Trusted 


Trusted Domains and Applications 


When you work closely with members of a different domain, you might want to add 
resources of that domain as trusted resources. For example, when working with company 
XYZ on a project, you might share resources with members of this company. Qualys 
SaaSDR allows you to add domains and applications you trust to a Trusted list. Once 
included in the list, you can use the Non Trusted or Is Trusted filters in the Resources > 
Applications tab to view resources from other domains. 


Add Domains and Applications as Trusted 


You can add domains and applications to the trusted list by navigating to the 
Configuration > Trusts tab and clicking New. 


SaaS Detection and Response v HOME DASHBOARD DIRECTOR M RESOURCES POLICY MONITOR RES SPONSE REPORTS CONFIGURATION AGm 


Configuration 


TYPE VALUE CREATED ON CREATED BY 


DOMAIN ssad.com Dec 3, 2021 
" 


The Trusts tab lists the newly created trust. 


Remove Domains and Applications from the Trusted List 


You can remove a previously added domain/application from the trusted list by navigating 
to the Configuration » Trusts tab. 


SaaS Detection and Response HOME  DASHECARD DIRECTORY RESOURCES POLICY MONITOR RESPON: SE REPORTS CONFIGURATION ROT 


Configuration 


s 
^n v ETE 1-4of 4 Ce 


eie VALUE CREATED ON CREATED BY 


quergqwcom 


Zomato 


Select the applications/domains you wish to remove from the list and then click Actions > 
Delete to remove them from the list. 
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Customizable Dynamic Dashboard 


Customizable Dynamic Dashboard 


Dashboards help you visualize your data in a central, customizable dashboard and share 
the compliance status of your environment in real-time. 


Qualys SaaSDR integrates with Unified Dashboard (UD) to bring information from all 
Qualys applications into a single place for visualization. UD provides a powerful, new 
dashboarding framework and platform service that will be consumed and used by all 
other products to enhance the existing dashboard capabilities. 


Qualys SaaSDR offers several dashboards out-of-the-box. Each dashboard displays a short 
description of the information it offers. You can also easily configure widgets to pull 
information from other modules/applications and add them to your dashboard. You can 
also add as many dashboards as you like to customize your view. 


See the Unified Dashboard help for more information. 
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